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We employ Clarkson and Schneider's "hyperproperties" to classify various verification problems 
of quantitative information flow. The results of this paper unify and extend the previous results 
on the hardness of checking and inferring quantitative information flow. In particular, we identify 
a subclass of liveness hyperproperties, which we call "^-observable hyperproperties", that can be 
checked relative to a reachability oracle via self composition. 

1 Introduction 

We consider programs containing high security inputs and low security outputs. Informally, the quan- 
titative information flow problem concerns the amount of information that an attacker can learn about 
the high security input by executing the program and observing the low security output. The problem 
is motivated by applications in information security. We refer to the classic by Denning |[T4l for an 
overview. 

In essence, quantitative information flow measures how secure, or insecure, a program (or a part of a 
program -e.g., a variable-) is. Thus, unlike non-interference lfT2l[T6l . that only tells whether a program 
is completely secure or not completely secure, a definition of quantitative information flow must be able 
to distinguish two programs that are both interfering but have different levels of security. 

For example, consider the programs Mi = ±i H = g then O : = else O : = I and M2 = O : = H. 
In both programs, H is a. high security input and O is a low security output. Viewing // as a password. 
Ml is a prototypical login program that checks if the guess g matches the password. By executing Mi , 
an attacker only learns whether H is equal to g, whereas she would be able to learn the entire content 
of H by executing M2. Hence, a reasonable definition of quantitative information flow should assign a 
higher quantity to M2 than to Mi , whereas non-interference would merely say that Mi and M2 are both 
interfering, assuming that there are more than one possible value of H. 

Researchers have attempted to formalize the definition of quantitative information flow by appealing 
to information theory. This has resulted in definitions based on the Shannon entropy |[T4l l9ll22]|. the min 
entropy [29.1 , and the guessing entropy |T^, I?!]. All of these definitions map a program (or a part of a 
program) onto a non-negative real number, that is, they define a function ^ such that given a program M, 
3t^{M) is a non-negative real number. (Concretely, ^ is SE[ijl\ for the Shannon-entropy-based definition 
with the distribution /i, ME[}x\ for the min-entropy-based definition with the distribution }X, and GE[}x\ 
for the guessing-entropy-based definition with the distribution pL.) 

In a previous work |[33l [32ll . we have proved a number of hardness results on checking and infer- 
ring quantitative information flow (QIF) according to these definitions. A key concept used to connect 
the hardness results to QIF verification problems was the notion of ^-safety, which is an instance in a 
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Liveness 
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Safety 


LBP constant bound 


Liveness 


/:-observable 


^-observable 


UBP constant bound 


Liveness 


;t-safety ll32l 


A:-safety [32] 



Table 1 : A summary of hyperproperty classifications 



collection of the class of program properties called hyperproperties lillil . In this paper, we make the 
connection explicit by providing a fine-grained classification of QIF problems, utilizing the full range of 
hyperproperties. This has a number of benefits, summarized below. 

1. ) A unified view on the hardness results of QIF problems. 

2. ) New insights into hyperproperties themselves. 

3. ) A straightforward derivation of some complexity theoretic results. 

Regarding 1.), we focus on two types of QIF problems, an upper-bounding problem that checks if QIF 
of a program is bounded above by the given number, and a lower-bounding problem that checks if QIF is 
bounded below by the given number. Then, for each QIF definitions SB, GE, ME, we classify whether or 
not they are safety hyperproperty, ^-safety hyperproperty, liveness hyperproperty, or A;-observable hyper- 
property (and give a bound on k for ^-safe/A:-observable). Safety hyperproperty, ^-safety hyperproperty, 
liveness hyperproperty, and observable hyperproperty are classes of hyperproperties defined by Clarkson 
and Schneider lITTI . In this paper, we identify new classes of hyperproperties, /:-observable hyperprop- 
erty, that is useful for classifying QIF problems, ^-observable hyperproperty is a subclass of observable 
hyperproperties, and observable hyperproperty is a subclass of liveness hyperproperties Q We focus on 
the case the input distribution is uniform, that is, jj. = U, a.s showing the hardness for a specific case 
amounts to showing the hardness for the general case. Also, checking and inferring QIF under the uni- 
formly distributed inputs has received much attention |[T7l l4llT9ll8ll22ll9l. and so, the hardness for the 
uniform case is itself of research interest]! 

Regarding 2.), we show that the ^-observable subset of the observable hyperproperties is amenable 
to verification via self composition ||5J[l3j|30l|26j|3} |, much like /c-safety hyperproperties, and identify 
which QIF problems belong to that family. We also show that the hardest of the QIF problems (but nev- 
ertheless one of the most popular) can only be classified as a general liveness hyperproperty, suggesting 
that liveness hyperproperty is a quite permissive class of hyperproperties. 

Regarding 3.), we show that many complexity theoretic results for QIF problems of loop-free boolean 
programs can be derived from their hyperproperties classifications ||33l [32l . We also prove new com- 
plexity theoretic results, including the (implicit state) complexity results for loop-ful boolean programs, 
complementing the recently proved explicit state complexity results [7 |. 

Table [T] and Table |2] summarize the hyperproperties classifications and computational complexities 
of upper/lower-bounding problems. We abbreviate lower-bounding problem, upper-bounding problem, 
and boolean programs to LBP, UBP, and BP, respectively. The "constant bound" rows correspond to 
bounding problems with a constant bound (whereas the plain bounding problems take the bound as an 
input). 

The proofs omitted from the paper appear in the extended report |[35l . 

'Technically, only non-empty observable hyperproperties are liveness hyperproperties. 

^In fact, computing QIF under other input distributions can sometimes be reduced to this case f3\. See also Section [531 
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SE[U] 


ME[U] 


GE[U] 


LBP for BP 


PSPACE-hard 


PSPACE-complete 


PSPACE-complete 


UBP for BP 


PSPACE-hard 


PSPACE-complete 


PSPACE-complete 


LBP for loop-free BP 


PP-hard 


PP-hard 


PP-hard 


UBP for loop-free BP 


PP-hard [32] 


PP-hard Oil 


PP-hard l32l 


LBP for loop-free BP, constant bound 


Unknown 


A^P-complete 


A^P-complete 


UBP for loop-free BP, constant bound 


Unknown 


coA^P-complete 


coA^P-complete 



Table 2: A summary of computational complexities 



2 Preliminaries 

2.1 Quantitative Information Flow 

We introduce the information theoretic definitions of QIF that have been proposed in literature. First, 
we review the notion of the Shannon entropy [28], Jif[lJ.]{X), which is the average of the information 
content, and intuitively, denotes the uncertainty of the random variable X. And, we review the notion of 
the conditional entropy, M'[pL\iY\Z), which denotes the uncertainty of Y after knowing Z. 

Definition 2.1 (Shannon Entropy and Conditional Entropy) Let X be a random variable with sample 
space X and jj. be a probability distribution associated with X (we write }X explicitly for clarity). The 
Shannon entropy ofX is defined as 

M'[^]{X)=Y^^i{X=x) log ^_ 

Let Y and Z be random variables with sample space Y and Z, respectively, and ii' be a probability 
distribution associated with Y and Z. Then, the conditional entropy ofY given Z is defined as 

{Y \Z) = l^ii{Z = zWilA {Y \Z = z) 

where 

je[^]{Y\Z = z)= LyeY ^{Y=y\Z = Z)log ^^(j^^ 

(The logarithm is in base 2.) 

Let M be a program that takes a high security input H, and gives the low security output trace O. 
For simplicity, we restrict to programs with just one variable of each kind, but it is trivial to extend the 
formalism to multiple variables (e.g., by letting the variables range over tuples or lists). Also, for the 
purpose of the paper, unobservable (i.e., high security) output traces are irrelevant, and so we assume 
that the only program output is the low security output trace. Let jLt be a probability distribution over the 
values of H. Then, the semantics of M can be defined by the following probability equation. (We restrict 
to deterministic programs in this paper.) 

^{0 = o)= £ ^{H = h) 

hem 
M{h) = o 
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Here, M{h) denotes the infinite low security output trace of the program M given a input h, and M{h) = o 
denotes the output trace of M given h that is equivalent to o. In this paper, we adopt the termination- 
insensitive security observation model, and let the outputs o and o' be equivalent iff V/ G G).o,- = ± VoJ = 
± Vo, = o'j where o and o,- denotes the ith element of o, and ± is the special symbol denoting terminationJl 
In this paper, programs are represented by sets of traces, and traces are represented by lists of stores 
of programs. More formally, 

M(/j) is equal to o iff ao; ai; . . . ; a,; . . . G M 

where GoiH) = h and V/ > l.a,(0) = o, (o,- denotes the ith element of o) 

Here, a denotes a store that maps variables to values. Because we restrict all programs to determin- 
istic programs, every program M satisfies the following condition: For any trace G M, we have 

where ao and Oq denote the first elements of ^ and respectively. Now, 
we are ready to define Shannon-entropy-based quantitative information flow. 

Definition 2.2 (Sliannon-Entropy-based QIF I[l4l l9l l22l ) Let M be a program with a high security in- 
put H, and a low security output trace O. Let p. be a distribution over H. Then, the Shannon-entropy- 
based quantitative information flow is defined 

SE[p]{M) = J^[p]{H) - J^[p]{H\0) 

Intuitively, J^[p]{H) denotes the initial uncertainty and J^[p]{H\0) denotes the remaining uncertainty 
after knowing the low security output trace. (For space, the paper focuses on the low-security-input free 
definitions of QIF.) 

As an example, consider the programs Mi and M2 from Section [T] For concreteness, assume that 
g is the value 01 and H ranges over the space {00,01, 10, 11}. Let U be the uniform distribution over 
{00,01, 10, 11}, that is, U{h) = 1/4 for all h G {00,01, 10, 11}. The results are as follows. 

SE[U]{Mi) = jr[[/](//)-jr[[/](//|0) = log4-|log3«. 81128 

SE[U]{M2) = J^[U]{H)-Jif[U]{H\0) = \og4-\ogl = 2 

Consequently, we have that SE[U]{Mi) < SE[U]{M2), but SE[U]{M2) ^ SE[U]{Mi). That is. Mi is more 
secure than M2 (according to the Shannon-entropy based definition with uniformly distributed inputs), 
which agrees with our intuition. 

Next, we introduce the min entropy, which has recently been suggested as an alternative measure for 
quantitative information flow (29). 

Definition 2.3 (Min Entropy) Let X and Y be random variables, and p be an associated probability 
distribution. Then, the min entropy ofX is defined 

and the conditional min entropy ofX given Y is defined 
^Here, we adopt the trace based QIF formalization of 1231 . 
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where 

y[n]{X) = max^exju(^=^) 

y[n]{X\Y=y) = max,exl^{X=x\Y =y) 

n^^mV) = LyeY^iY=y)y[^]iX\Y=y) 

Intuitively, y[lJ.]{X) represents the highest probability that an attacker guesses X in a single try. We 
now define the min-entropy-based definition of QIF. 

Definition 2.4 (Min-Entropy-based QIF |29 |) Let M be a program with a high security input H, and 
a low security output trace O. Let }X be a distribution over H. Then, the min-entropy-based quantitative 
information flow is defined 

ME[pL\{M) = ML[pL\{H) - ML[pL\{H\0) 

Computing the min-entropy based quantitative information flow for our running example programs 
Ml and M2 from Section [T] with the uniform distribution, we obtain, 

ME[U]{Mi) = J^4U]{H)-ML[U]{H\0)=\ogA-\og2 = \ 

ME[U]{M2) = ^oo[U]{H)-Mo[U]{H\0)=\ogA-\ogl=2 

Again, we have that ME[U\{Mi) < ME[U]{M2) and ME[U]{M2) t ME\U\{Mx), and so M2 is deemed 
less secure than M\ . 

The third definition of quantitative information flow treated in this paper is the one based on the 
guessing entropy f^T], that has also recently been proposed in literature |[T8l l4l. 

Definition 2.5 (Guessing Entropy) Let X and Y be random variables, and \l be an associated proba- 
bility distribution. Then, the guessing entropy ofX is defined 

^[Ai](X)= X i>^^l{X=xt) 

\<i<m 

where {x\,X2-,--- ,x,n } = X and V/, j.i < j ^ }x{X = xi) >}x{X= xj). 
The conditional guessing entropy ofX given Y is defined 

n^]{X\Y)=l^^iY=y) £ ix^{X=xt\Y=y) 

ye¥ l<i<m 

where {xi,X2, ■ ■ ■ ,Xm} =^ and ^i,j.i < j ^ }x{X = Xi\Y = y) > }x{X = Xj\Y = y). 

Intuitively, ^^[/x](X) represents the average number of times required for the attacker to guess the 
value of X. We now define the guessing-entropy -based quantitative information flow. 
Definition 2.6 (Guessing-Entropy-based QIF US^ 4 |) Let M be a program with a high security input 
H, and a low security output trace O. Let }X be a distribution over H. Then, the guessing-entropy-based 
quantitative information fiow is defined 

GE[ii]{M) = <^[^l]{H)-<^[^i]{H\0) 

We test GE on the running example from Section[I]by calculating the quantities for the programs M\ 
and M2 with the uniform distribution. 

GE[U]{Mi) = ^[U]{H)-'^[U]{H\0) = ^-1=0.15 

GE[U]{M2) = ^[[/](//)-^[t/](//|0) = §-1 = 1.5 

Therefore, we again have that GE[U]{Mi) < GE[U]{M2) and GE[U]{M2) ^ GE[U]{Mi), and so M2 
is considered less secure than Mi, even with the guessing-entropy based definition with the uniform 
distribution. 
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2.2 Bounding Problems 

We introduce the bounding problems of quantitative information flow that we classify. First, we define 
the QIF upper-bounding problems. Upper-bounding problems are defined as follows: Given a program 
M and a rational number q, decide if the information flow of M is less than or equal to q. 

'i/sE={iM,q)\SE[U]{M)<q} 
^ME={{M,q)\ME[U]{M)<q} 
'^GE = {{M,q)\GE[U]{M)<q} 

Recall that U denotes the uniform distribution. 

Next, we define lower-bounding problems. Lower-bounding problems are defined as follows: Given 
a program M and a rational number q, decide if the information flow of M is greater than q. 

^SE = {{M,q)\SE[U]{M)>q} 
^ME = {{M,q) \ME[U]{M)>q} 
^GE = {iM,q)\GE[U]iM)>q} 

2.3 Non Interference 

We recall the notion of non-interference, which, intuitively, says that the program leaks no information. 
Definition 2.7 (Non-intereference Ifl2l[l6l ) A program M is said to be non-interfering iff for any h,h' ^ 
M, M{h) = M{h'). 

Non-interference is known to be a special case of bounding problems that tests against 0. 
Theorem 2.8 ((811321) 1.) M is non-interfering iff (M,0) € ^se- 2.) M is non-interfering iff (M,0) G 
^ME- 3.) M is non-interfering iff (M,0) G ^ge- 

3 Liveness Hyperproperties 

Clarkson and Schneider have proposed the notion of hyperproperties | fTT| . 

Definition 3.1 (Hyperproperties lUll) We say that P is a hyperproperty ifP C ^(*Finf ) where ^inf is 
the set of all infinite traces, and ^{X) denote the powerset ofX. 

Note that hyperproperties are sets of trace sets. As such, they are more suitable for classifying informa- 
tion properties than the classical trace properties which are sets of traces. For example, non-interference 
is not a trace property but a hyperproperty. 

Clarkson and Schneider have identified a subclass of hyperproperties, called liveness hyperproperties, 
as a generalization of liveness properties. Intuitively, a liveness hyperproperty is a property that can not 
be refuted by a finite set of finite traces. That is, if P is a liveness hyperproperty, then for any finite set of 
finite traces T, there exists a set of traces that contains T and satisfies P. Formally, let Obs be the set of 
finite sets of finite traces, and Prop be the set of sets of infinite traces (i.e., hyperproperties), that is, 

Obs = ^*^°(»Ffin) 
Prop = ^i^,nf) 

(Here, ^^^'^{X) denotes the finite subsets of X, *Pfin denotes the set of finite traces.) Let < be the 
relation over Obs x Prop such that 

S<T iff \ft eSBt'.tot' eT 
where t ot' is the sequential composition of t and t'. Then, 
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Definition 3.2 (Liveness Hyperproperties (TT\) We say that a hyperproperty P is a liveness hyperprop- 
erty if for any set of traces S G Obs, there exists a set of traces S' € Prop such that S < S' and S' € P. 

Now, we state the first main result of tlie paper: tlie lower-bounding problems are liveness hyper- 
properties0 We note that, because QIF is restricted to that of deterministic programs in this paper, the 
results on bounding problems are for hyperproperties of deterministic systems^ 

Theorem 3.3 ^se, -^me, and ^qe ore liveness hyperproperties. 

The proof follows from the fact that, for any program M, there exists a program M' containing all the 
observations of M and has an arbitrary large information flowl^ 

We show that the upper-bounding problem for Shannon-entropy based quantitative information flow 
is also a liveness hyperproperty. 

Theorem 3.4 ^se is o liveness hyperproperty. 

The theorem follows from the fact that we can lower the amount of the information flow by adding traces 
that have the same output trace. Therefore, for any program M, there exists M' having more observation 
than M such that SE[U] {M') < q. 

3.1 Observable Hyperproperties 

Clarkson and Schneider [11] have identified a class of hyperproperties, called observable hyperproper- 
ties, to generalize the notion of observable properties 12] to sets of tracesj^ 

Definition 3.5 (Observable Hyperproperties fill) say that P is a observable hyperproperty if for 
any set of traces S £ P, there exists a set of traces T G Obs such that T < S, and for any set of traces 
S' G Prop, T <S' ^S' eP. 

We call T in the above definition an evidence. 

Intuitively, observable hyperproperty is a property that can be verified by observing a finite set of 
finite traces. We prove a relationship between observable hyperproperties and liveness hyperproperties. 

Theorem 3.6 Every non-empty observable hyperproperty is a liveness hyperproperty. 

Proof: Let P be a non-empty observable hyperproperty. It must be the case that there exists a set of 
traces M e P. Then, there exists T G Obs such that T < M and VM' G Prop.T <M'^M'eP. For 
any set of traces S G Obs, there exists M' G Prop such that 5 < M'. Then, we have MUM' £ P, because 
T <MU M'. Therefore, P is a liveness hyperproperty. □ 

We note that the empty set is not a liveness hyperproperty but an observable hyperproperty. 

We show that lower-bounding problems for min-entropy and guessing-entropy are observable hyper- 
properties. 

Theorem 3.7 ^me is an observable hyperproperty. 

Theorem 3.8 .^ge is an observable hyperproperty. 

^We implicitly extend the notion of hyperproperties to classify hyperproperties that take programs and rational numbers. 
Seel32l. 

^This is done simply by restricting Ohs and Prop to those of deterministic systems. See 1 1 1 1 for detail. 

^Here, we assume that the input domains are not bounded. Therefore, we can construct a program that leaks more high- 
security inputs by enlarging the input domain. Hyperproperty classifications of bounding problems with bounded domains 
appear in Section lSTI 

^Roughly, an observable property is a set of traces having a finite evidence prefix such that any trace having the prefix is 
also in the set. 



84 



Quantitative Information Flow as Safety and Liveness Hyperproperties 



Theorem 13.71 follows from the fact that, if {M,q) € ^me^ then M contains an evidence of ^me- This 
follows from the fact that when a program M' contains at least as much observation as M, ME\U]{M) < 
ME[U]{M') (cf. Lemma [3.15l ). Theorem I3.8l is proven in a similar manner. 

We show that neither of the bounding problems for Shannon-entropy are observable hyperproperties. 

Theorem 3.9 Neither '^se nor ^se is tin observable hyperproperty. 

We give the intuition of the proof for ^se- Suppose SE[U]{M) <q.M does not provide an evidence of 
SE\U]{M) < q, because for any potential evidence, we can raise the amount of the information flow by 
adding traces that have disjoint output traces. The result for ^se is shown in a similar manner. 

It is interesting to note that the bounding problems of SE can only be classified as general liveness 
hyperproperties (cf. Theorem 13.31 and 13.41 ) even though SE is often the preferred definition of QIF in 
practice |[T4l l9l l22l. This suggests that approximation techniques may be necessary for checking and 
inferring Shannon-entropy-based QIF. 

3.2 K-Observable Hyperproperties 

We define /:-observable hyperproperty that refines the notion of observable hyperproperties. Informally, 
a ^-observable hyperproperty is a hyperproperty that can be verified by observing k finite traces. 
Definition 3.10 (K-Observable Hyperproperties) We say that a hyperproperty P is a k-observable hy- 
perproperty if for any set of traces S £ P, there exists T € Obs such that T < S, \T\ < k, and for any set 
of traces S' G Prop, T < S' ^ S' £ P. 

Clearly, any A;-observable hyperproperty is an observable hyperproperty. 

We note that ^-observable hyperproperties can be reduced to 1 -observable hyperproperties by a sim- 
ple program transformation called self composition [5. 131. 

Definition 3.11 (Parallel Self Composition iflTl ) Parallel self composition ofS is defined as follows. 

SxS= {(^[0],/[0]); (41], ^'[1]); m,s'[2]y,- ■■\s,s'£S} 
where s[i] denotes the ith element of s. 

Then, a ^-product parallel self composition (simply self composition henceforth) is defined as 5*^. 
Theorem 3.12 Every k-observable hyperproperty can be reduced to a l-observable hyperproperty via a 
k-product self composition. 

As an example, consider the following hyperproperty. The hyperproperty is the set of programs that re- 
turn 1 and 2 for some inputs. Intuitively, the hyperproperty expresses two good things happen (programs 
return I and 2) for programs. 

{M I 3h,h'.M{h) = 1 AM{h') = 2} 

This is a 2-observable hyperproperty as any program containing two traces, one having 1 as the output 
and the other having 2 as the output, satisfies it. 

We can check the above property by self composition. (Here, 1 1 denotes a parallel composition.) 

M'{H,H') = 0:=M{H)\\0' :=M{H')\\assert{^{0 = l AO' = 2)) 

Clearly, M satisfies the property iff the assertion failure is reachable in the above program, that is, iff the 
predicate O = I AO' = 2 holds for some inputs H,H'. (Note that, for convenience, we take an assertion 
failure to be a "good thing".) 

We show that neither the lower-bounding problem for min-entropy nor the lower-bounding problem 
for guessing-entropy is a A:-observable hyperproperty for any k. 
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Theorem 3.13 Neither ^me nor ^qe ci k-observable property for any k. 

However, if we let g be a constant, then we obtain different results. First, we show that the lower- 
bounding problem for min-entropy-based quantitative information flow under a constant bound q, is a 
[2'^^ J + 1 -observable hyperproperty. 

Theorem 3.14 Let q be a constant. Then, J^me ci [2^ J + \-observable hyperproperty. 

The theorem follows from Lemma 13.151 below which states that min-entropy based quantitative infor- 
mation flow under the uniform distribution coincides with the logarithm of the number of output traces. 
That is, (M, q) G .^me iff there is an evidence in M containing [2^J + 1 disjoint outputs. 

Lemma 3.15 ((H) ME[U]{M) = log \{o \ 3h.M{h) = o}\ 

Next, we show that the lower-bounding problem for guessing-entropy -based quantitative information 
flow under a constant bound ^ is a L|^^fT~^J + 1-observable hyperproperty. 

Theorem 3.16 Let q be a constant. Then, ££ge is a [ [^j^_^^/J^ J + \-observable hyperproperty. 

The proof of the theorem is similar to that of Theorem 13.141 in that the size of the evidence set can be 
computed from the bound q. 

3.3 Computational Complexities 

We prove computational complexities of =2m£ and ^g£- by utilizing their hyperproperty classifications. 
Following previous work 133.13211711. we focus on boolean programs. 

First, we introduce the syntax of boolean programs. The semantics of boolean programs is standard. 
We call boolean programs without while statements loop-free boolean programs. 



In this paper, we are interested in the computational complexity with respect to the syntactic size 
of the input program (i.e., "implicit state complexity", as opposed to [7] which studies complexity over 
programs represented as explicit states). 

We show that the lower-bounding problems for min-entropy and guessing-entropy are PP-hard. 

Theorem 3.17 .^me o-nd S^cEfor loop-free boolean programs are PP-hard. 

The theorem is proven by a reduction from MAJSAT, which is a PP-hard problem. PP is the set of 
decision problems solvable by a polynomial-time nondeterministic Turing machine which accepts the 
input iff more than half of the computation paths accept. MAJSAT is the problem of deciding, given a 
boolean formula over variables , if there are more than 2l^l^' satisfying assignments to 0. 

Next, we show that if ^ be a constant, the upper-bounding problems for min-entropy and guessing- 
entropy become A^P-complete. 

Theorem 3.18 Let q be a constant Then, .^me cmd ^ge cif^ NP -complete for loop-free boolean pro- 
grams. 



M 
<!>,¥ 



x:=\i/\ Mo;Mi \ if Xj/ then Mq else Mi | while y/ do M | skip 
true \x \ (j) Ay\^<I> 



Figure 1 : The syntax of boolean programs 
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A^P-hardness is proven by a reduction from SAT, which is a A^P-compIete problem. The proof that ^me 
and for a constant q are in NP follows from the fact that ^me and ^ge are ^-observable hyper- 
properties for some k. We give the proof intuition for ^me- Recall that ^-observable hyperproperties can 
be reduced to 1 -observable hyperproperties via self composition. Consequently, it is possible to decide 
if the information flow of a given program M is greater than q by checking if the predicate of the assert 
statement is violated for some inputs in the following program. 

M'iHuH2,...,H„) = 

Ox ■.= M{Hx);02:=M{H2);...;0„ ■.= M{H„y, 
assert(V,-,ye{i,...,„}(0,- = OjAi^j)) 

where n = [2^J + 1. Let be the weakest precondition of 6>i := M(//i); O2 := M{H2);. ..■,0n-= M{H„) 
with respect to the post condition V(.;e{i n} {Oi = Oj A / / 7). Then, ME[U ] (M) > ^ iff -i0 is satisfiable. 
Because a weakest precondition of a loop-free boolean program is a polynomial size boolean formula 
over the boolean variables representing the input^, deciding ME[U]{M) > q is reducible to SAT. 

For boolean programs (with loops), ^me and J^'ge are PSPACE-complete, and ^se is PSPACE-hard 
(the tight upper-bound is open for ^se)- 

Theorem 3.19 ^me and J^ge cire PSPACE-complete for boolean programs. 
Theorem 3.20 J^se is PSPACE-hard for boolean programs. 

4 Safety Hyperproperties 

Clarkson and Schneider fTTl have proposed safety hyperproperties, a subclass of hyperproperties, as a 
generalization of safety properties. Intuitively, a safety hyperproperty is a hyperproperty that can be 
refuted by observing a finite set of finite traces. 

Definition 4.1 (Safety Hyperproperties lITTIl ) We say that a hyperproperty P is a safety hyperproperty 
if for any set of traces S ^ P, there exists a set of traces T € Obs such that T < S, and V5' G Prop.T < 
S' ^S' ^ P. 

We classify some upper-bounding problems as safety hyperproperties. 

Theorem 4.2 Ume ond Uge ore safety hyperproperties. 

Next, we review the definition of ^-safety hyperproperties [11], which refines the notion of safety hy- 
perproperties. Informally, a k-s&fety hyperproperty is a hyperproperty which can be refuted by observing 
k number of finite traces. 

Definition 4.3 (K-Safety Hyperproperties iflTl ) We say that a hyperproperty P is a k-safety property 
if for any set of traces S ^ P, there exists a set of traces T G Obs such that T < S, \T\ <k, and MS' € 
Prop.T <S' ^S' ^P. 

Note that 1 -safety hyperproperty is just the standard safety property, that is, a property that can be refuted 
by observing a finite execution trace. The notion of ^-safety hyperproperties first came into limelight 
when it was noticed that non-interference is a 2-safety hyperproperty, but not a 1 -safety hyperprop- 
erty 1301. 

A fc-safety hyperproperty can be reduced to a 1 -safety hyperproperty by self composition ll5l [T3]| . 



For loop-free boolean programs, a weakest precondition can be constructed in polynomial time I15II21I . 
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Theorem 4.4 ( 1111 ) k-safety hyperproperty can be reduced to \-safety hyperproperty by self composi- 
tion. 

We have shown in our previous work that '^me and '^ge are ^-safety hyperproperties when the bound 
q is fixed to a constant. 

Theorem 4.5 ( 11321 ) Let q be a constant, '^me i^ ci [2^ J + \-safety property. 
Theorem 4.6 ( 1321 ) Let q be a constant, '^ge i^ ci L|^^+i~^J + ^safety property. 

The only hyperproperty that is both a safety hyperproperty and a liveness hyperproperty is ^{^inf), 
that is, the set of all traces ifTTI . Consequently, neither '^me nor ^ge is a Uveness hyperproperty. 

We have also shown in the previous work that the upper-bounding problem for Shannon-entropy 
based quantitative information flow is not a ^-safety hyperproperty, even when <7 is a constant. 

Theorem 4.7 ( B321 ) Let q be a constant, '^se i^ not a k-safety property for any k > 0. 
4.1 Computational Complexities 

We prove computational complexities of upper-bounding problems by utilizing their hyperproperty clas- 
sifications. As in Section 1331 we focus on boolean programs. 

First, we show that when ^ is a constant, Ume and Uge are coA^P-complete. 

Theorem 4.8 Let q be a constant. Then, '^me and '^ge are coNP-complete for loop-free boolean pro- 
grams. 

coM'-hardness follows from the fact that non-interference is coA^P-hard 1,32 1 . The coNP part of the 
proof is similar to the NP part of Theorem 13.181 and uses the fact that '^me is ^-safety for a fixed q and 
uses self composition. By self composition, the upper-bounding problem can be reduced to a reachability 
problem (i.e., an assertion failure is unreachable for any input). To decide if ME\U]{M) < q, we construct 
the following self-composed program M' from the given program M. 

M'{HuH2,...,Hn) = 

Oi ■.= M{Hy);02:=M{H2);...;On:=M{Hn); 
assert(V,-je{i,...,„}(Oi = OjM / j)) 

where n = [2^^] + 1. Then, the weakest precondition of 0\ := M{H\);02 := M{H2);. ..^On := M{H„) 
with respect to the post condition \/ije{i n}{Oi = Oj A / ^ j) is valid iff ME[U]{M) < q. Because 
a weakest precondition of a loop-free boolean program is a polynomial size boolean formula, and the 
problem of deciding a given boolean formula is valid is a coA^P-complete problem, "^me is in coNP. 

Like the lower-bounding problems ^me and ^ge for boolean programs (with loops) are PSPACE- 
complete, and ^se is PSPACE-hard. 

Theorem 4.9 ^me and ^ge are PSPACE-complete for boolean programs. 
Theorem 4.10 "Wse is PSPACE-hard for boolean programs. 
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5 Discussion 

5.1 Bounding Domains 

The notion of hyperproperty is defined over all programs regardless of their size. (For example, non- 
interference is a 2-safety property for all programs and reachability is a safety property for all programs.) 
But, it is easy to show that the lower bounding problems would become "/^-observable" hyperproperties 
if we constrained and bounded the input domains because then the size of the semantics (i.e., the number 
of traces) of such programs would be bounded by |E[| (and upper bounding problems would become 
"/c-safety" hyperproperties ll32l ). In this case, the problems are trivially |EI| -observable hyperproperties. 
However, these bounds are high for all but very small domains, and are unlikely to lead to a practical 
verification method. 

5.2 Observable Hyperproperties and Observable Properties 

As remarked in [11 J, observable hyperproperties generalize the notion of observable properties 0. It 
can be shown that there exists a non-empty observable property that is not a liveness property (e.g., the 
set of all traces that starts with a). In contrast. Theorem 13.61 states that every non-empty observable 
hyperproperty is also a liveness hyperproperty. Intuitively, this follows because the hyperproperty ex- 
tension relation < allows the right-hand side to contain traces that does not appear in the left-hand side. 
Therefore, for any T G Obs, there exists T' G Prop that contains T and an evidence of the observable 
hyperproperty. 

5.3 Maximum of QIF over Distribution 

Researchers have studied the maximum of QIF over the distribution. For example, channel capacity |[25l 
|23l|27l is the maximum of the Shannon-entropy based quantitative information flow over the distribution 
(i.e., m&x^SElp]). Smith ["SQ] showed that for any program without low-security inputs, the channel 
capacity is equal to the min-entropy-based quantitative information flow, that is, max^5£'[/x] =ME\U\. 
Therefore, we obtain the same hyperproperty classifications and complexity results for channel capacity 
asM£[[/]. 

Min-entropy channel capacity and guessing-entropy channel capacity are respectively the maxi- 
mums of min-entropy based and guessing-entropy based QIF over distributions (i.e., max^M£'[/i] and 
max^G£[At]). It has been shown that max^M£'[/i] = ME[U] JS |2Pl and max^ G£[;U] = GE[U] | |34l . 
that is, they attain their maximums when the distributions are uniform. Therefore, they have the same 
hyperproperty classifications and complexities as ME\U] and GE\U], which we have already analyzed in 
this paper. 

6 Related Work 

Cemy et al. [Tl have investigated the computational complexity of Shannon-entropy based QIF. For- 
mally, they have defined a Shannon-entropy based QIF for interactive boolean programs, and showed 
that the explicit-state computational complexity of their lower-bounding problem is /'5PAC£'-complete. 
In contrast, this paper's complexity results are "implicit" complexity results of bounding problems of 
boolean programs (i.e., complexity relative to the syntactic size of the input) some of which are obtained 
by utilizing their hyperproperties classifications. 
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Clarkson and Schneider ifTTTl have classified quantitative information flow problems via hyperprop- 
erties. Namely, they have shown that the problem of deciding if the channel capacity of a given program 
is q, is a liveness hyperproperty. And, they have shown that an upper-bounding problem for the belief- 
based QIF lITOl is a safety hyperproperty. (It is possible to refine their result to show that their problem 
for deterministic programs is actually equivalent to non-interference, and therefore, is a 2-safety hyper- 
property Il34l .) 



7 Conclusion 

We have related the upper and lower bounding problems of quantitative information flow, for various 
information theoretic definitions proposed in literature, to Clarkson and Schneider's hyperproperties. 
Hyperproperties generalize the classical trace properties, and are thought to be more suitable for classi- 
fying information flow properties as they are relations over sets of program traces. Our results confirm 
this by giving a fine-grained classification and showing that it gives insights into the complexity of 
the QIF bounding problems. One of the contributions is a new class of hyperproperties: k-observable 
hyperproperty. We have shown that /c-observable hyperproperties are amenable to verification via self 
composition. 
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